Chazy Chaz's questions

I'm using different PHP-FPM pools with specific users each one. I just switched memcached to use a socket instead of tcp/udp ports (for many reasons including the recent attacks on the 11211 port).

I’ve modified the systemd unit file accordingly:

ExecStart=/usr/bin/memcached -s /var/run/memcached/memcached.socket -a 0770 -o modern

The socket is created with correct permissions:

$ ls -la /var/run/memcached/memcached.socket
srwxrwx--- 1 memcached memcached 0 Jul  5 15:41 /var/run/memcached/memcached.socket

Then I’ve included the php-fpm pool user into the memcached group so php can connect to the socket:

$ gpasswd pooluser memcached

Made sure it is:

$ groups pooluser
pooluser memcached

And finally I’ve configured the php script:

$memcached->addServer('/var/run/memcached/memcached.socket', 0)

The only reason I can think of is that PHP-FPM is using another user to establish the connection. The php extension fails to access the socket:

var_dump($memcached->addServer('/var/run/memcached/memcached.socket', 0))
// bool(true)

var_dump($memcached->set('key', 'value')
// bool(false)

If I change the umask to 0777 then it can connect, so it is not a configuration problem, it is a permissions problem.

I'm using another unix socket, to connect PDO() to mariadb (mysql), and I've checked and the mysql.socket has 0777 by default (at least I didn't configure anything for mariadb).

So should I give unix sockets 0777 permissions or not? In any case I'd like to figure out why php-memcached can't access the socket.

I've been reading the php-fpm documentation and found out that I can give each socket its own user, group and mode, but how can I tell apache (per vhost I mean) to use x user and y group to connect to the sockets?

What I want to achieve is to prevent pools from reading each other files, in case of breach, only the files for that domain would be leaked and nothing else. I know how I can do this for the fpm pools using the user and group settings and then giving the file structure their proper permissions. But what about the same http user being able to access all fpm sockets? Should I be concerned about that or not?

pool1.conf (php-fpm)

[pool1]
user = domain1
group = domain1
listen = /run/php-fpm/www.domain1.sock
listen.owner = http
listen.group = http
listen.mode = 0660

domain1.conf (apache virtual host)

<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName www.domain1.com

    DocumentRoot "/srv/http/domain1.com/www"
    <Directory "/srv/http/domain1.com/www">
        <IfModule dir_module>
            DirectoryIndex index.php
        </IfModule>

        <Files "index.php">
            SetHandler "proxy:unix:/run/php-fpm/www.domain1.sock|fcgi://localhost/"
        </Files>

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteRule ^index\.php$ - [L]
            RewriteRule . index.php [L]
        </IfModule>
    </Directory>

    SSLEngine On
    SSLCertificateFile "/etc/letsencrypt/live/domain1.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/domain1.com/privkey.pem"
    Protocols h2 h2c
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    ErrorLog "/srv/protected/sites/domain1.com/logs/www-error_log"
    CustomLog "/srv/protected/sites/domain1.com/logs/www-access_log" common
</VirtualHost>

I'm also trying to figure out why does the default value for listen.mode is 0660? Why does the http group need read+write permissions?

I want to prevent spoofing so I found this postfix option:

smtpd_sender_login_maps (default: empty)

    Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
    ...

Then I found this answer: https://serverfault.com/a/710235/371610 that says how to use a regex so that in setups with multiple virtual domains and many users there's no need to edit the table to add or remove:

/etc/postfix/login_map:

/^(.*)$/   ${1}

/etc/postfix/main.cf:

smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_relay_restrictions = permit_mynetworks,
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    reject_unauth_destination

Same error with:

smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain,
    reject_sender_login_mismatch

The problem is that with that regex incoming mails (from hotmail or gmail for example) are being rejected with the error:

NOQUEUE: reject: RCPT from mail-oln040092064102.outbound.protection.outlook.com[40.92.64.102]: 553 5.7.1 [email protected]: Sender address rejected: not logged in; [email protected] [email protected] proto=ESMTP helo=<EUR01-DB5-obe.outbound.protection.outlook.com>

Is there any way to do this without having to write a table mapping each email to itself:

[email protected]    [email protected]
[email protected]   [email protected]
etc...

Or would it be better to use sql, and then selecting two times the column that has the complete email address? What do you think? I'm about to migrate the virtual domains/users to sql.

EDIT

I have moved reject_sender_login_mismatch as suggested:

smtpd_sender_login_maps=pcre:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain,
    reject_sender_login_mismatch

smtpd_relay_restrictions = permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

But I'm still getting the same Sender address rejected: not logged in; error.

This is my config:

# postconf -n                                                                                                                                                                                                               
alias_database = $alias_maps                                                                                                                                                                                                                 
alias_maps = hash:/etc/postfix/aliases                                                                                                                                                                                                       
broken_sasl_auth_clients = no                                                                                                                                                                                                                
command_directory = /usr/bin                                                                                                                                                                                                                 
compatibility_level = 2                                                                                                                                                                                                                      
daemon_directory = /usr/lib/postfix/bin                                                                                                                                                                                                      
data_directory = /var/lib/postfix                                                                                                                                                                                                            
debug_peer_level = 2                                                                                                                                                                                                                         
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5                                                                                                                
disable_vrfy_command = yes                                                                                                                                                                                                                   
home_mailbox = Maildir/                                                                                                                                                                                                                      
html_directory = no                                                                                                                                                                                                                          
inet_protocols = ipv4                                                                                                                                                                                                                        
mail_owner = postfix                                                                                                                                                                                                                         
mailbox_size_limit = 0                                                                                                                                                                                                                       
mailq_path = /usr/bin/mailq                                                                                                                                                                                                                  
manpage_directory = /usr/share/man                                                                                                                                                                        
meta_directory = /etc/postfix                                                                                                                                                                                                                
milter_default_action = accept                                                                                                                                                                                                               
mydestination = localhost                                                                                                                                                                                                                    
myhostname = mail.domain.com                                                                                                                                               
mynetworks_style = host                                                                                                                                                                                                                      
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /etc/postfix
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = HIGH
smtp_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1
smtp_tls_protocols = !SSLv2:!SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_enforce_tls = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_milters = unix:/run/opendkim/opendkim.sock
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/login_maps
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_sender_login_mismatch
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = aNULL:eNULL:MEDIUM:LOW:EXPORT:EXP:3DES:DSS:RC4:SEED:ECDSA:MD5:PSK
smtpd_tls_key_file = /etc/letsencrypt/live/domain/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = HIGH
smtpd_tls_mandatory_protocols = !SSLv2:!SSLv3:!TLSv1
smtpd_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:73
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = domain.com another.com yetanother.com
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 50
virtual_uid_maps = static:73

And /etc/postfix/login_maps:

[email protected]    [email protected]
[email protected]   [email protected]
etc...

This way it's working, no matter where I place reject_sender_login_mismatch. And again, no matter where I place it, if I use a regex I'm getting the error. So right now is inside smtpd_sender_restrictions, shouldn't only target outgoing (virtual domains only) mail instead of incoming too?

I configured OpenDkim to work with postfix and I'm getting the following error when I try to send mail out:

postfix/cleanup[11542]: 40F271A291A: milter-reject: END-OF-MESSAGE from ***[***]: 4.7.1 Service unavailable - try again later; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.10]>

I've configured opendkim to use a unix socket, and it's working:

[chazy@mail ~]$ sudo netstat -nalp | grep dkim
unix  2      [ ACC ]     STREAM     LISTENING     144135   11267/opendkim       /run/opendkim/opendkim.sock
unix  3      [ ]         STREAM     CONNECTED     147626   11267/opendkim       /run/opendkim/opendkim.sock
unix  2      [ ]         DGRAM                    144137   11267/opendkim

Opendkim is started by it's own user, as suggested by the Arch wiki (as well as the other security recommendations). The folders are also owned by opendkim:mail.

I'm using the same selector and signing key for all domains, is that a problem?

The postfix configuration is as follows:

# DKIM
milter_default_action = accept
smtpd_milters = unix:/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock

No anti-spam service installed for the moment, just a basic postfix/dovecot/opendkim configuration to test the server.

Opendkim config:

# /etc/opendkim/opendkim.conf

BaseDirectory           /var/lib/opendkim
Canonicalization        relaxed/simple
Domain                  domain1.com domain2.com
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyFile                 /etc/opendkim/201704.private
KeyTable                refile:/etc/opendkim/KeyTable
Selector                201704
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  local:/run/opendkim/opendkim.sock
Syslog                  Yes
TemporaryDirectory      /run/opendkim
UMask                   002
UserID                  opendkim:mail

TrustedHosts config:

# /etc/opendkim/TrustedHosts

# Trusted Hosts List
127.0.0.1
::1
x.x.x.x # Server IP
mail.maindomain.com

# Domains
maindomain.com
domain2.com

I configured postfix with a fake hostname to avoid this error... but I need to use a real domain to setup rDNS.

When I send mail to [email protected] I get the following error:

postfix/smtpd[3540]: NOQUEUE: reject: RCPT from mail-oln040092065078.outbound.protection.outlook.com[40.92.65.78]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table;

The table is configured for the user I try to send mail, and neither I forgot to regenerate the db file (sudo postmap /etc/postfix/vmailbox). That error doesn't make any sense at all!

Using another domain in myhostname will "fix" the error for the previously affected domain, but the new specified domain will suffer the same, that's why I used a fake one.

Now, I can't keep avoiding it, so does anyone know why I'm getting that error for the main domain?

# /etc/postfix/main.cf

compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/bin
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.example.com
mydestination = $mydomain, localhost.$mydomain, localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
mynetworks_style = host
alias_maps = hash:/etc/postfix/aliases
alias_database = $alias_maps
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
        ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/bin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix
inet_protocols = ipv4
meta_directory = /etc/postfix
shlib_directory = /usr/lib/postfix
virtual_mailbox_domains = another.com yetanother.com
virtual_mailbox_base = /mail
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 50
virtual_uid_maps = static:73
virtual_gid_maps = static:73
virtual_alias_maps = hash:/etc/postfix/virtual # empty (comments only)
mailbox_size_limit = 0
virtual_mailbox_limit = 0

# TLS
#tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256$
tls_random_source=dev:/dev/urandom

# Incoming
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_enforce_tls=yes
smtpd_tls_protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:TLSv1.2
smtpd_tls_mandatory_protocols=!SSLv2:!SSLv3
smtpd_tls_exclude_ciphers=aNULL:eNULL:EXPORT:EXP:3DES:DES:DSS:RC4:SEED:ECDSA:MD5:PSK:aECDH:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:KRB5-DES:CBC3-SHA:CAMELLIA256-SHA:MEDIUM:LOW
smtpd_tls_mandatory_ciphers=HIGH
smtpd_tls_received_header=yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_security_level=encrypt
smtpd_tls_cert_file=/etc/ssl/certs/server.crt
smtpd_tls_key_file=/etc/ssl/private/server.key
smtpd_tls_loglevel=1
smtpd_tls_eecdh_grade=ultra

# Outgoing
smtp_use_tls=yes
smtp_tls_protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1:TLSv1.2
smtp_tls_mandatory_protocols=!SSLv2:!SSLv3
smtp_tls_exclude_ciphers=aNULL:eNULL:EXPORT:EXP:3DES:DES:DSS:RC4:SEED:ECDSA:MD5:PSK:aECDH:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:KRB5-DES:CBC3-SHA:CAMELLIA256-SHA:MEDIUM:LOW
smtp_tls_mandatory_ciphers=HIGH
smtp_tls_security_level=may
#smtp_tls_policy_maps=may
smtp_tls_cert_file=/etc/ssl/certs/server.crt
smtp_tls_key_file=/etc/ssl/private/server.key
smtp_tls_loglevel=1

# SASL
smtpd_sasl_type=dovecot
#smtp_sasl_type=dovecot
smtpd_sasl_auth_enable=yes
#smtp_sasl_auth_enable=yes
broken_sasl_auth_clients=no
smtpd_sasl_authenticated_header=yes
smtpd_sasl_local_domain=$myhostname
smtpd_sasl_security_options=noplaintext, noanonymous
#smtp_sasl_security_options=noplaintext, noanonymous
smtpd_sasl_path=private/auth
#smtp_sasl_path=private/auth

smtpd_recipient_restrictions=permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_unauth_destination

# prevent leaking valid e-mail addresses
disable_vrfy_command=yes

#smtpd_client_restrictions

I'm thinking on building my own (micro-atx) router for business and personal projects at home.

My question is what kind of network card do I need to receive the fiber optic connection? I'm currently using the router my ISP provides me but I want to replace it.

I've been looking and I can only find super expensive cards (more than 150-250€) and I think those are not the ones I need, so can anyone point me in the right direction?

I will be using a Linux distro with iptables, dhcp, bind, etc...

I have setup a local webserver to develop my php apps, everything should be working ok (no problem testing the domain through a proxy website), but when I navigate from local, sometimes the request won't finish loading (it keeps loading for a while but never throws a 500 error or something like busy server, it eventually finish loading).

Apache is configured to listen to my private IP and the port (both 80 and 443) is open in the router (pointing to my IP too). The domain is pointing to my public IP (that is dynamic but it doesn't change too often).

# httpd.conf
Listen 192.168.1.10:80
ServerName *public ip*

# httpd-ssl.conf
Listen 192.168.1.10:443

I have a default vhost (the first one) for port 80 (in it's httpd-vhosts.conf file) and another one for port 443 (in it's httpd-ssl.conf file) with it's own ssl (auto-signed) certificate. The rest of the vhosts are in the vhosts folder, using the wildcard *:80 and *:443 because I couldn't make them work with their domain/subdomain names (I already read about name based vhosts but nothing). They are properly configured and working ok, though.

I don't think it's a php-fpm problem because I tried a subdomain that doesn't use the php handler at all (in fact, it's set to use the default handler for all files in its vhost block). The php-fpm configuration for apache is set on each vhost block as needed, I don't have a single file for it. Is this ok? (And a quick question about php and fpm, does php have its own log file when using fpm? Or is everything logged into the php-fpm log file? I set the error_log in php.ini but nothing is logged, not even the file is created)

I have set the loglevel to debug, but I really don't know where the problem could be (it even may be a nat problem): http://pastebin.com/cTjyxwYf

I see gaps of 2 minutes, that's when I click and it keeps loading, maybe it's a nat/router problem. Any way to fix this?

I've created a let's encrypt certificate, for my domain, using certbot. I've made sure to include www and some (needed) subdomains, so the certificate should be valid for non-www and www:

domain.com www.domain.com sub1.domain.com ...

But this is not the case, if I try to access to https://domain.com it'll throw a ssl error.

In the certificate viewer (when accessing through www) I can see Common Name (CA) domain.com. The Certificate Subject Alt Name contains the non-www and www...

So I don't understand why it gives this error:

domain.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: SEC_ERROR_UNKNOWN_ISSUER

I did generate a self-signed certificate but for the default virtualhost block (the one in httpd-ssl.conf), the other blocks are using the let's encrypt certificate.

I also made sure to deleted the firefox cache.

I did add an exception and now it redirects to https://www.domain.com everytime I write https://domain.com.

I'm using Apache 2.4.23 and my vhosts config is as follows:

<VirtualHosts *:80>
    Servername domain.com
    Redirect permanent / https://www.domain.com/
</VirtualHosts>

<VirtualHost *:443>
    ServerName domain.com:443
    Redirect permanent / https://www.domain.com:443/
</VirtualHost>

<VirtualHost *:PORT> # 80 and 443
    ServerAdmin [email protected]
    DocumentRoot "/srv/http/domain.com/www"
    ServerName www.domain.com:443
    Protocols h2 h2c

    <Directory "/srv/http/domain.com/www">
        Require all granted

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^index\.php$ - [L]
            RewriteRule . index.php [L]
        </IfModule>
    </Directory>

    <IfModule dir_module>
        DirectoryIndex index.php
    </IfModule>

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/domain.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/domain.com/privkey.pem"
    Header always set Strict-Transport-Security "max-age=15768000"
    ErrorLog "/var/log/httpd/domain.com-ssl_error_log"
    CustomLog "/var/log/httpd/domain.com-ssl_access_log" common
    LogLevel debug
</VirtualHost>